X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;ds=sidebyside;f=include%2Fsecurity.php;h=b13a507cf483c124e5e1de3ed3817b205784d3aa;hb=daf94a8f6320d633a2ba727b3d0e53c2b74d9246;hp=3cdfb4f28d83ab6921d6f3f152def8b886cacbf3;hpb=390d5706f46ce58cbed24b292d5c1f1b9789a8a8;p=friendica.git diff --git a/include/security.php b/include/security.php index 3cdfb4f28d..b13a507cf4 100644 --- a/include/security.php +++ b/include/security.php @@ -1,11 +1,16 @@ $user["uid"], + $value = json_encode(["uid" => $user["uid"], "hash" => cookie_hash($user), - "ip" => $_SERVER['REMOTE_ADDR'])); + "ip" => $_SERVER['REMOTE_ADDR']]); } else { $value = ""; } @@ -73,10 +78,10 @@ function authenticate_success($user_record, $login_initial = false, $interactive if ($a->user['login_date'] <= NULL_DATE) { $_SESSION['return_url'] = 'profile_photo/new'; $a->module = 'profile_photo'; - info(t("Welcome ") . $a->user['username'] . EOL); - info(t('Please upload a profile photo.') . EOL); + info(L10n::t("Welcome ") . $a->user['username'] . EOL); + info(L10n::t('Please upload a profile photo.') . EOL); } else { - info(t("Welcome back ") . $a->user['username'] . EOL); + info(L10n::t("Welcome back ") . $a->user['username'] . EOL); } } @@ -102,12 +107,35 @@ function authenticate_success($user_record, $login_initial = false, $interactive } } - $r = dba::select('user', array('uid', 'username', 'nickname'), - array('password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false)); - if (DBM::is_result($r)) { - $a->identities = dba::inArray($r); + if ($master_record['parent-uid'] == 0) { + // First add our own entry + $a->identities = [['uid' => $master_record['uid'], + 'username' => $master_record['username'], + 'nickname' => $master_record['nickname']]]; + + // Then add all the children + $r = dba::select('user', ['uid', 'username', 'nickname'], + ['parent-uid' => $master_record['uid'], 'account_removed' => false]); + if (DBM::is_result($r)) { + $a->identities = array_merge($a->identities, dba::inArray($r)); + } } else { - $a->identities = array(); + // Just ensure that the array is always defined + $a->identities = []; + + // First entry is our parent + $r = dba::select('user', ['uid', 'username', 'nickname'], + ['uid' => $master_record['parent-uid'], 'account_removed' => false]); + if (DBM::is_result($r)) { + $a->identities = dba::inArray($r); + } + + // Then add all siblings + $r = dba::select('user', ['uid', 'username', 'nickname'], + ['parent-uid' => $master_record['parent-uid'], 'account_removed' => false]); + if (DBM::is_result($r)) { + $a->identities = array_merge($a->identities, dba::inArray($r)); + } } $r = dba::p("SELECT `user`.`uid`, `user`.`username`, `user`.`nickname` @@ -137,11 +165,11 @@ function authenticate_success($user_record, $login_initial = false, $interactive header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] . '"'); if ($login_initial || $login_refresh) { - dba::update('user', array('login_date' => datetime_convert()), array('uid' => $_SESSION['uid'])); + dba::update('user', ['login_date' => DateTimeFormat::utcNow()], ['uid' => $_SESSION['uid']]); // Set the login date for all identities of the user - dba::update('user', array('login_date' => datetime_convert()), - array('password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false)); + dba::update('user', ['login_date' => DateTimeFormat::utcNow()], + ['parent-uid' => $master_record['uid'], 'account_removed' => false]); } if ($login_initial) { @@ -157,7 +185,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive } if ($login_initial) { - call_hooks('logged_in', $a->user); + Addon::callHooks('logged_in', $a->user); if (($a->module !== 'home') && isset($_SESSION['return_url'])) { goaway(System::baseUrl() . '/' . $_SESSION['return_url']); @@ -377,12 +405,21 @@ function get_form_security_token($typename = '') function check_form_security_token($typename = '', $formname = 'form_security_token') { - if (!x($_REQUEST, $formname)) { - return false; + $hash = null; + + if (!empty($_REQUEST[$formname])) { + /// @TODO Careful, not secured! + $hash = $_REQUEST[$formname]; } - /// @TODO Careful, not secured! - $hash = $_REQUEST[$formname]; + if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) { + /// @TODO Careful, not secured! + $hash = $_SERVER['HTTP_X_CSRF_TOKEN']; + } + + if (empty($hash)) { + return false; + } $max_livetime = 10800; // 3 hours @@ -400,7 +437,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to function check_form_security_std_err_msg() { - return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before submitting it.') . EOL; + return L10n::t("The form security token was not correct. This probably happened because the form has been opened for too long \x28>3 hours\x29 before submitting it.") . EOL; } function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token')